Malicious Code Execution in PCI Expansion ROM

From:

Adam Behnke <adam@infosecinstitute.com>

To:

bugtraq@securityfocus.com

Cc:

Subject:

Malicious Code Execution in PCI Expansion ROM

Date:

Mon, 02 July 2012 19:17 GMT

The malicious code in x86/x64 firmware can potentially reside in many
places. One of them is in the PCI expansion ROM. In the past, the small
amount of memory during PCI expansion ROM execution acted as a hindrance to
malicious code. The limited space for code and data limited the possible
tasks that could be carried out by such malicious codes. However, this
article explains how a malicious PCI expansion ROM might exploit a
little-known BIOS memory management interface to break through the memory
"barrier," thus creating a potentially more complex threat. The discussion
in this article is limited to PCI expansion ROM conforming to PCI firmware
revision 3.1 specification.
This newly "discovered" larger memory footprint enables a malware creator to
place (at least) a simple file system infector inside the PCI expansion ROM
(a compressed one). During PCI expansion ROM execution, the compressed file
system infector could have the memory it requires through memory allocation
with the PMM functions, provided that the BIOS implemented PMM-which is most
likely the case in the last 3 to 5 years. Another issue is that a malware
creator might abuse the presence of the "permanent" memory allocated for PCI
expansion ROM through the pmmAllocate() function by using the permanent
memory flag during the call to pmmAllocate().Additionally, a rogue but
simple network "interceptor" code might be possible given the jump in the
memory footprint, and if the interceptor hides in the "permanent" memory, it
could be troublesome.
View here: http://resources.infosecinstitute.com/pci-expansion-rom/ to read
the full article and walkthrough at InfoSec Institute.